Data Processing Agreement

This Personal Data Processing Agreement ("DPA") is established between RegDoor acting as "Processor" and the Client as "Controller," as defined in the Agreement signed by the Client with RegDoor.

The DPA governs how RegDoor processes personal data for the Client's use of the RegDoor application. Both parties aim to comply with EU GDPR requirements regarding the Processor's handling of Personal Data as outlined in their main Agreement. Except as modified by this document, all Agreement terms remain fully effective.

1. Definitions

• 1.1 Data Transfer: Movement of Personal Data from Controller to Processor, between Processor establishments, or involving a Sub-processor.
• 1.2 EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons.
• 1.3 Standard Contractual Clauses: Contractual clauses per European Commission Implementing Decision (EU) 2021/914 for transferring Personal Data to third-country processors lacking adequate data protection.
• 1.4 Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines data processing purposes and means.
• 1.5 Processor: Natural or legal person, public authority, agency, or entity processing personal data on the controller's behalf.
• 1.6 Sub-processor: A processor or sub-contractor engaged by the Processor to provide all or part of Services, processing Personal Data as provided by the Controller.

2. Purpose of this Agreement

This DPA establishes the Processor's obligations regarding Personal Data processing, limited to obligations under the main Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

3. Categories of Personal Data and Data Subjects

The Controller authorizes the Processor to process Personal Data to the extent the Controller determines and regulates.

4. Purpose of Processing

Personal Data processing by the Processor is limited to providing Services to the Controller or its Client pursuant to the Agreement.

5. Duration of Processing

The Processor processes Personal Data throughout the Agreement duration, unless otherwise agreed in writing by the Controller.

6. Data Controller's Obligations

6.1 The Controller warrants it possesses all necessary rights to provide Personal Data to the Processor for agreed services. The Controller must ensure it provides data based on an appropriate legal basis and obtains necessary Data Subject consents, maintaining consent records. If consent is revoked, the Controller must promptly notify the Processor.

6.2 The Controller must immediately inform the Processor in writing upon:

• 6.2.1 Receiving complaints or allegations indicating Data Privacy Laws violations regarding Personal Data
• 6.2.2 Receiving requests from individuals seeking to access, correct, or delete Personal Data
• 6.2.3 Receiving inquiries or complaints from individuals concerning Personal Data collection, processing, use, or transfer
• 6.2.4 Receiving regulatory requests, search warrants, or legal, regulatory, administrative, or governmental processes seeking Personal Data

7. Data Processor's Obligations

7.1 The Processor processes Personal Data only as necessary to provide services described in this Agreement and according to written, documented instructions from the Controller.

7.2 At the Controller's request, the Processor provides reasonable assistance responding to requests or directions by Data Subjects exercising rights or applicable regulatory authorities.

7.3 The Processor informs the Controller if, in its opinion, a processing instruction violates applicable legislation or regulation.

7.4 As Data Processor, the Processor may assist the Controller in conducting necessary Data Protection Impact Assessments (DPIAs) as required under GDPR.

8. Audit Rights

8.1 Upon reasonable Controller request, the Processor makes available information reasonably necessary to demonstrate compliance with EU GDPR obligations.

8.2 When the Controller wishes to conduct audits at the Processor's site, it must provide at least thirty days' prior written notice. The Processor provides reasonable cooperation and assistance with audits, including inspections.

8.3 The Controller bears all audit expenses.

9. Mechanism of Data Transfers

Any Personal Data transfer outside the European Economic Area occurs only per the Standard Contractual Clauses and applicable Data Protection Laws. The Processor shall implement supplementary measures and conduct transfer impact assessments where required.

10. Sub-processors

10.1 The Controller acknowledges the Processor may engage third-party Sub-processors for Services performance, provided such Sub-processors implement technical and organizational measures ensuring Personal Data confidentiality. The Processor notifies the Controller at least thirty calendar days before any Sub-processor changes or additions. The Processor shall remain liable to the Controller for any failure by a Sub-processor to fulfil its data protection obligations.

10.2 If the Controller believes a Sub-processor's processing reasonably risks breaching GDPR obligations, the Controller may object, and both parties shall confer in good faith to address the concern.

11. Personal Data Breach Notification

11.1 The Processor maintains Personal Data Breach procedures and notifies the Controller without undue delay upon becoming aware of any Personal Data Breach, unless such breach is unlikely to risk natural persons' rights and freedoms.

11.2 The Processor provides the Controller reasonable assistance complying with Personal Data Breach notifications to Supervisory Authorities and/or Data Subjects.

11.3 Processor's notification of or response to a Personal Data Breach will not be construed as an acknowledgement by Processor of any fault or liability.

12. Return and Deletion of Personal Data

12.1 At least thirty days from Agreement end or Service cessation, whichever occurs earlier, the Processor returns all Personal Data to the Controller or deletes it per Controller instructions. The Processor shall return such Personal Data in a commonly used format or in the current format in which it was stored, at the Controller's discretion, as soon as reasonably practicable.

Schedule 1 — Annex I: Technical and Organisational Measures

Security Management System

• Organization: RegDoor designates qualified security personnel responsible for developing, implementing, and maintaining the Information Security Program.
• Policies: Management reviews and supports all security-related policies ensuring Customer Personal Data security, availability, integrity, and confidentiality. These policies update at least annually.
• Assessments: RegDoor engages a reputable independent third party performing risk assessments of all systems containing Customer Personal Data at least annually.
• Risk Treatment: RegDoor maintains a formal risk treatment program including penetration testing, vulnerability management, and patch management.
• Vendor Management: RegDoor maintains an effective vendor management program.
• Incident Management: RegDoor regularly reviews security incidents, including effective root cause determination and corrective action.
• Standards: RegDoor adopts key applicable organizational and technical security measures, including ISO Standards of the 27000 family.

Personnel Security

RegDoor personnel must conduct themselves consistent with company guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. RegDoor conducts reasonably appropriate background checks on employees accessing client data, to the extent legally permissible. Personnel must execute written confidentiality agreements upon hire, and receive privacy and security training implementing the Information Security Program.

Access Management

RegDoor maintains a formal access management process for requesting, reviewing, approving, and provisioning personnel accessing Customer Personal Data. Access is limited to properly authorized persons needing such access. Periodic access reviews ensure only necessary personnel retain access.

Access Control and Privilege Management

RegDoor and Customer administrators and end users authenticate via Multi-Factor authentication systems or single sign-on systems.

Internal Data Access Processes and Policies

RegDoor's internal data access processes and policies protect against unauthorized access, use, disclosure, alteration, or destruction of Customer Personal Data. Systems are designed following "least privileged" and "need to know" principles. RegDoor requires unique user IDs, strong passwords, two-factor authentication, and carefully monitored access lists. System access is logged creating accountability audit trails.

Data Centers

• Infrastructure: RegDoor uses AWS as its data center provider.
• Resiliency: AWS Multi Availability Zones are enabled. RegDoor conducts regular Backup Restoration Testing.
• Server Operating Systems: RegDoor's servers are customized and hardened for application security. RegDoor employs a code review process increasing Services code security.
• Disaster Recovery: RegDoor replicates data across multiple systems protecting against accidental destruction or loss, and regularly tests its disaster recovery programs.
• Security Logs: RegDoor's systems have logging enabled supporting security audits and monitoring.
• Vulnerability Management: RegDoor performs regular vulnerability scans on all production and development environment infrastructure. Critical, High, and Medium security patches are installed as soon as commercially possible.

Networks and Transmission

• Data Transmission: Production environment transmissions occur via Internet standard protocols.
• External Attack Surface: AWS Security Group, equivalent to a virtual firewall, is in place for the Production environment on AWS.
• Incident Response: RegDoor maintains incident management policies and procedures. Security personnel react promptly to suspected or known incidents, mitigate harmful effects, and document security incidents and their outcomes.
• Encryption Technologies: RegDoor makes HTTPS encryption (TLS) available for data in transit.

Data Storage, Isolation, Authentication, and Destruction

RegDoor stores data in a multi-tenant environment on AWS servers. Data is replicated between multiple AWS availability zones. RegDoor logically isolates different customers' data. A central authentication system is used across all Services. RegDoor ensures secure Client Data disposal through data destruction processes.

Annex II — List of Sub-processors